The U.S. Securities and Exchange Commission (SEC) and the Commodity Trading Futures Commission (CFTC) have widened their investigations and fined another series of firms for recordkeeping failures. As with previous recordkeeping breaches, the firms concerned failed to stop employees, including those at senior levels, from communicating using unapproved communication methods, including messages sent via personal text and WhatsApp. The total monetary penalties imposed is now more than $2.6bn.

The CFTC imposed a fine of $20m (download CFTC article here) on an introducing broker and a futures commission merchant in the same group for failing, since at least 2019, to maintain and preserve records that were required to be kept under CFTC recordkeeping requirements. The order also found the widespread use of unapproved communication methods violated the firm's internal policies and procedures, which generally prohibited business-related communication taking place via unapproved methods. Further, some of the same supervisory personnel responsible for ensuring compliance with the firm's policies and procedures themselves used non-approved methods of communication to engage in business-related communications, in violation of firm policy.

The SEC enforcement actions were against five broker-dealers, three dually registered broker-dealers and investment advisers, two affiliated investment advisers and, separately, two credit rating agencies all for widespread and longstanding failures to maintain and preserve electronic communications. The combined penalties were $79m for the 10 firms and then another $10m for the recordkeeping failures at the credit rating agencies. The SEC's investigations uncovered pervasive and longstanding off-channel communications whereby employees communicated through personal text messages. The firms did not maintain or preserve the substantial majority of these off-channel communications, in violation of the federal securities laws. By failing to maintain and preserve required records, certain of the firms likely deprived the SEC of these off-channel communications in various SEC investigations. As with the CFTC findings, the failures involved employees at multiple levels of authority, including supervisors and senior managers, which appears to have invoked the ire of both the SEC and CFTC.

The SEC made a particular point that one firm had a substantially reduced fine for self-reporting the issue - "One of the orders included in today's announced actions is not like the others," said Gurbir S. Grewal, Director of the SEC's Division of Enforcement. "There are real benefits to self-reporting, remediating and cooperating."

Regulatory patience has run out

The background to the latest set of fines serves to reinforce the zero tolerance approach regulators are taking with regards to communications capture. Firms were found to have consistently and pervasively failed to fulfill their regulatory obligations with regard to electronic communications records capture and preservation. Equally important in this suite of fines is the firms' (with the one exception) failure to have learnt the lessons of previous enforcement actions and proactively considered whether they too were in breach of recordkeeping requirements. The regulatory rhetoric has made crystal clear that for firms, and the C-suite in particular, compliance is not optional.

The statements by the CFTC Commissioners are pertinent:

"Evolving technologies pose new risks and compliance challenges to registrants at increasing speeds. Registrants must continuously update their policies and procedures as new contexts and obstacles arise. But policies are not sufficient on their own. Companies must take seriously the need to create tone at the top that universally emphasizes the importance of compliance at all levels of an organization. Without doing so, the compliance function will exist only on paper, as it apparently did in this case. And once again I am reiterating that the Commission needs to think deeply about additional rules to deter this kind of misconduct in the future."

- Commissioner Kristin N. Johnson (statement)

"[ the firm ] should not be able to just pay the penalties, fix this one problem, and continue to operate business as usual. The "tone at the top" of this broker should change immediately to a tone of continued compliance with the law. [..] Change can only happen if the C-suite of financial institutions establishes a culture of compliance over evasion. It is far past time for the C-suite to step up."

- Commissioner Christy Goldsmith Romero (statement)

Facilitating compliant communications

It is clear that the challenge of unmonitored communication channels is far from over. Firms must consider how they can open up approved platform features to increase productivity and employee satisfaction and reduce reliance on off-channel platforms. Part of that functionality should be the capability to capture, robustly and in native context, all modalities including GIFs, emojis, additions, deletions, video, email and voice. If firms choose to do nothing and unmonitored communications are found by a regulatory body then significantly larger sanctions are likely. Indeed given the regulatory rhetoric it is entirely possible that future sanctions will include senior individual liability and accountability.

Originally published Oct 5, 2023

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.